As we become a more internationally diverse group, it is important all
get to participate in the decision making. I agree Board calls are
useful for accelerating decisions based on back-and-forth conversations
but it is not fair to those that can’t participate due to time zone,
travel or real day jobs.
One of the things we have agreed to as a Board is that WG decisions
need to be put onto the Board list as recommendations. The Board then
has a specified time to disagree with the recommendations. If there is
no disagreement when the time period expires, the recommendations are
approved.
Maybe we could consider that type of approach for Board call decisions.
The call minutes could have a section that specifically lists the
decisions agreed to on the call with some background on the decision.
The minutes would be posted with the decisions section copied and
included in the body of the Board Minutes message in addition to the
attached minutes file. The Board members then have a week (or some
specified time) to disagree and initiate a conversation. Any decisions
not addressed are blessed with the “silence begets acceptance” approach.
We should be addressing the decisions that Board members have an issue
with or need clarification on, not the ones we agree on.
--
Kent Landfield
817-637-8026
kent_landfield@mcafee.com
On 7/7/17, 2:55 PM, "owner-cve-editorial-board-list@lists.mitre.org on
behalf of Waltermire, David A. (Fed)"
<owner-cve-editorial-board-list@lists.mitre.org on behalf of
david.waltermire@nist.gov> wrote:
Who is responsible for deciding how big/risky or small/minor a
given issue is? I wouldn't want that job.
The problem is those present on the board call might think an issue
is "small" and inconsequential. Those that might find a big problem in
a small thing might not be present on a given call to raise such a
concern. This is where there is value in sending a short email to the
list to keep everyone looped in. We have had some examples of this in
the past with changes to CVE status, impacts on downstream consumers,
etc.
Regards,
Dave
> -----Original Message-----
> From: Pascal Meunier [mailto:pmeunier@cerias.purdue.edu]
> Sent: Friday, July 07, 2017 3:46 PM
> To: Coffin, Chris <ccoffin@mitre.org>; Waltermire, David A. (Fed)
> <david.waltermire@nist.gov>
> Cc: Carsten Eiram <che@riskbasedsecurity.com>;
cve-editorial-board-list
> <cve-editorial-board-list@LISTS.MITRE.ORG>
> Subject: Re: Current standards/criteria for 'Undefined Behavior'
>
> On Fri, 2017-07-07 at 18:49 +0000, Coffin, Chris wrote:
> > One worry in going this route would be that we'd never actually
make
> > any decisions on the Board calls and the value of them could be
> > greatly diminished.
>
> I understand and applaud the drive to get things done and decided.
>
> On the other hand, for some decisions, more time to think things
through
> and leverage the input of the entire board would be wise.
> Board calls are the perfect place to make decisions too minor, or
irrelevant to
> the board's interests, for the entire board to get involved, for
efficiency's
> sake. I think it's a judgment call to decide which decisions can
be done on the
> calls. However, CVE assignment policy decisions are of interest
to the entire
> board. My point is that splitting the difference in the middle,
and having
> some categories of decisions flagged for mailing list
discussions, may be close
> to optimal.
>
> Pascal